Blaster Worm on the Move

By Dennis Fisher |
Posted 2003-08-12

The Blaster worm continued to tear through the Internet Tuesday morning as security experts struggled to find and fix infected systems. The worm is presenting a unique problem for security specialists because it is infecting a large number of PCs owned by home users, many of whom may be unaware that their machines are compromised.

And because Blasters scanning algorithm tends to start by looking for IP addresses that are close to the infected machines, the worm can rattle around inside a local network for quite a while, consuming bandwidth.

Officials at the CERT Coordination Center estimated that the number of infected machines is in the hundreds of thousands and will continue to grow. "A large number of the compromised machines are those of home users. In this case it isnt as easy as downloading a patch because they cant get enough bandwidth to get online and get the patch," said Marty Lindner, team leader for incident handling at CERT, based at Carnegie Mellon University in Pittsburgh.

"The compromise has a harder time getting out of the local network, so its harder to measure how many machines are infected."

Blaster began spreading early Monday afternoon Eastern time and quickly gained momentum. The worm exploits the RPC DCOM (Distributed Component Object Model) vulnerability in all of the current versions of Windows, except ME. The worm scans the Internet and attempts to connect to TCP port 135. After establishing a connection, Blaster spawns a remote shell on port 4444 and then uses TFTP (Trivial File Transfer Protocol) to download the actual binary containing the worm. The worm is self-extracting and immediately begins scanning for other machines to infect.

For users who cannot free up enough bandwidth to download the patch from Microsoft Corp., CERT recommends an alternative remedy. Users should physically disconnect the infected machine from the Internet or network. Then, kill the running copy of "msblast.exe" in the Task Manager utility. Users should then disable DCOM and reconnect to the Internet and download the patch.

However, some security experts and users say that the manual process for disabling DCOM doesnt work on some Windows 2000 machines. On PCs running Windows 2000 in its default configuration or with Service Pack 1 or 2, manually disabling DCOM by setting the registry key or using the DCOM config tool fails actually to fix the problem, said Marc Maiffret, chief hacking officer at eEye Digital Security Inc., in Aliso Viejo, Calif. The process does seem to work on machine with SP 3 or SP4 installed or those running Windows XP and NT 4.0.

"They just had a bug. We discovered it about a week ago," Maiffret said, while adding that Microsoft confirmed the problem to him Tuesday afternoon.

In addition, some corporate networks have been seeing re-infections even after correctly disabling DCOM across the network because the IT staffs failed to restart all of the machines after disabling the service. In order for the process to work, each machine must be restarted.

Blasters scanning has apparently also caused some slowdowns in Internet service on some backbone networks, according to monitoring done by Keynote Systems Inc., based in San Mateo, Calif. The company found that latency times for TCP connections between backbone providers on the West Coast and East Coast increased from the typical 85 milliseconds to between three and nine seconds.

Keynote officials said they could not definitively attribute the slowdowns to the worm, but the timing of the problems corresponds to the beginning of the Blaster outbreak.

Editors note: This story has been updated to include information from Marc Maiffret of eEye Digital Security.